What Privacy Professionals Should Know About the NIST Cybersecurity Framework

In February of this year, President Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity. The Executive Order directed the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework to assist owners and operators of critical infrastructure in addressing cybersecurity risks. On October 29, NIST published a preliminary version of the Framework (the “Preliminary Framework”), which is open for public comment through December 13. NIST intends to issue a final version in February 2014. The creation of the framework has, of course, been a major development in the information security community – according to NIST Director Patrick Gallagher, approximately three thousand individuals have been involved to date in the development of the Preliminary Framework. But privacy professionals should be paying attention to the framework as well.

The Executive Order directs NIST to include “methodologies . . . to protect individual privacy and civil liberties.” To that end, Appendix B of the Preliminary Framework sets forth a draft Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program (“Privacy Methodology”) based on the Fair Information Practice Principles and organized to track the content of the Framework Core (the part of the framework that describes the elements expected to be present in a cybersecurity program). Notably, for almost every category of cybersecurity outcome identified in the Framework Core, the draft Privacy Methodology describes a corresponding set of privacy practices. The following are examples of how the draft proposes to tie privacy practices to cybersecurity activities:

Data Security: “Implement safeguards at all states of PII’s [personally identifiable information’s] lifecycle within the organization and proportionate to the sensitivity of the PII to protect against loss, theft, unauthorized access or acquisition, disclosure, copying, use or modification.”

Information Protection Processes and Procedures: “Securely dispose of, de-identify, or anonymize PII that is no longer needed. Regularly audit stored PII and the need for its retention.”

Protective Technology: “Audit access to databases containing PII. Consider whether PII is being logged as part of an independent audit function, and how such PII could be minimized while still implementing the cybersecurity activity effectively.”

And the Preliminary Framework’s definition of PII is fairly broad:

Information which can be used to distinguish or trace an individual’s identity such as the individual’s name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

As these examples indicate, the draft Privacy Methodology has taken a very expansive view of how organizations should approach and address the privacy implications of cybersecurity operations. Whether or not the proposal changes between now and Feburary 2014, what does the inclusion of privacy and civil liberties ultimately mean for organizations that adopt the final Cybersecurity Framework and for the privacy professionals that work for those organizations? There are at least two significant implications:

A significant role for the privacy function. Because the Executive Order requires the framework to include methodologies to protect privacy, privacy professionals will be called upon to guide and support implementation of the framework through the Privacy Methodology.

A potentially very significant challenge for organizations using the framework: Organizations that adopt the Framework will have to take steps to align their privacy policies, procedures and practices with the Privacy Methodology. Depending on the scope and approach of the final Privacy Methodology, that may be a substantial undertaking.

Once the framework is finalized in February, the federal government will offer incentives for organizations to adopt it, and the framework is likely to be influential beyond the industries deemed critical infrastructure. Government agencies may work with the insurance industry to develop underwriting practices that encourage adoption of cybersecurity measures. Procurement programs will likely favor those organizations that adopt the framework. Adoptees may be afforded liability limitations. And as organizations adopt the framework, they will likely favor doing business with those organizations that have also adopted the framework, which means that organizations outside critical infrastructure will be incentivized to adopt it.

Even without voluntary adoption, the framework may end up becoming part of the regulatory structure. In August, the Administration’s Cybersecurity Coordinator wrote that “agencies will recommend [ways to] make compliance easier, for example: eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures.” As agencies take steps to embed the framework into their programs, the framework could end up establishing a comprehensive privacy framework for cybersecurity operations. Because organizations may find it difficult to implement the framework’s privacy methodologies only for cybersecurity operations, the Privacy Framework could become a de facto set of standards for handling PII.

As mentioned above, the Framework is now open for public comment. NIST has announced that there will be a Cybersecurity Framework workshop November 14-15, and privacy is on the agenda. Organizations have until December 13 to assess the Framework and direct their comments to NIST, which has indicated that it welcomes input on the Privacy Methodology. The comment period provides organizations with an opportunity to voice their suggestions on practical ways to address the role of privacy considerations in the Framework.

Written By

Harriet Pearson, CIPP/US

Written By

Hogan Lovells

0 Comments

If you want to comment on this post, you need to login

Related

In the third installment of this series looking at monitoring programs across industries, including healthcare, IT, finance, government and telecom, Deidre Rodriguez, CIPP/US, talks with JC Cannon, CIPP/US, CIPT, about monitoring a privacy program in the IT industry. "Having comprehensive rules, training and procedures in place are not as important during an audit as being able to prove that they are working," Cannon says. Cannon provides tips for those developing monitoring programs and highlig...
Read more

Despite the controversy surrounding the Federal Communications Commission’s (FCC’s) Net Neutrality Order, “it is consistent with several decades of FCC efforts to regulate facilities-based transmission providers in order to protect competition,” writes William Baker, CIPP/US, who has participated in many an FCC proceeding. In this first of a two-part series for Privacy Tracker, Baker outlines the important aspects of the Net Neutrality Order and talks about the FCC’s history in regulating inform...
Read more

The Federal Communications Commission (FCC) is poised to craft new rules that could limit broadband providers’ ability to share information about users’ web activity with advertisers, MediaPost reports. The FCC’s Wireline Competition and Consumer & Governmental Affairs Bureaus will convene a workshop on the privacy rights of broadband users on April 28 in Washington, DC. The FCC said the 2015 Open Internet Order applies Section 222 of the Communications Act to broadband carriers, and has not...
Read more

According to the Network Advertising Initiative (NAI) annual compliance report released Monday, all 92 of its members “substantially complied” with the NAI’s consumer privacy code in 2014, KatyontheHill reports. The code requires ad networks to post data collection and retention practices and give consumers the option to opt out of tracking. The NAI says the minor code violations were unintentional and were “resolved quickly.” The ad network industry considers self-regulatory programs like this ...
Read more

Tribune News Service reports that New Mexico will not become the newest U.S. state with a data breach notification law after the Senate Judiciary Committee twice voted not to send the proposed bill to the floor. New Mexico is currently one of three U.S. states without data breach laws. The state’s House had unanimously approved the bill in February, and another state Senate committee also unanimously approved it earlier in March. The bill’s sponsor, Rep. William Rehm (R-Albuquerque), said, “The ...
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.